Cfscript queries?

[clint317]

Any chance of including scans for scripted queries?:

q = new Query(datasource=mydatasource);
q.setSQL(
"select col1, col2, #col3#
from #schema#.tblname
where fee = :qpFa
and foo = :qpLa
and fum = '#so#'"
);
q.addParam(name="qpFa", value="#val1#", cfsqltype="cf_sql_varchar");
q.addParam(name="qpLa", value="#val2#", cfsqltype="cf_sql_varchar");

[boughtonp]

Not a big one - this isn't a simple thing to add.

The current scanner relies on two things that script queries can't guarantee:

• Only needs to look for hashes to identify potential user-supplied variables.
• Queries are clearly terminated; it just needs to look for </cfquery> to find the end.

Neither of these are the case with the script syntax, and even a rudimentary implementation would require a significant amount of work.

Since I don't work with scripted queries myself, there's no incentive for me to spend that amount of time on something I wouldn't use.

Of course, if anyone wants to have a go and send in a pull request that'd be fine, or if anyone wanted to sponsor the development, that's also an option, but both of those would need to come with a big disclaimer that the functionality would be limited, and probably wouldn't cope with, for example:

sql = "select stuff ...";
if (something) sql &= "...";
...
q.setSQL( sql );